3 SCADE SYSTEMa system architecture design and modeling tool that allows system engineers to model the design of system components and structure using SysML block diagrams.allows to extract parts of the main system model and exchange these subsystem software models with development teams.Software teams can then work on the subsystem software design with SCADE Suite.Comparison of system model versions is facilitated when the subsystem software model is reintegrated into the main system modelSCADE LifeCycle Reporter allows systems engineers to automatically generate up-to-date documentation at any point in the development cycle.

7 SCADE DisplaySCADE Display is a flexible graphics design and code generation tool suite for the development of safety-critical embedded display systems.native support of the OpenGL SC standard, SCADE Display is the new generation display framework, spanningprototyping,display design,simulation,verification & validation,DO-178B certified code generation for level A software andsmooth integration with other applications.tightly coupled with SCADE Suite® enabling unprecedented visibility from the deployed application to the end-user displays.

31 Why SCADE (Areva) Adapted to our deployed development processSCADE formalism (node and data flow) is equivalent to theStructured Analysis SA-RT/SD method used at AREVA TA (Structured Analysis, Structured Design)Understood by both system and software engineersImprovement of mutual comprehension is required by the IEC60680:2006 standardSupporting our generic design policySCADE cycle-based language is well adapted to the way embedded safety-critical software are designed at AREVA TAEasier to reach SIL4 than with the former classic development methodSCADE simulator : early detection of errors in specificationSCADE KCG : no unit testing at code levelLess expensive deployment than other formal methodsOnly one week to design with the principal SCADE functionsImproved software validationFormal proof techniques are enabled

33 System Modelling with SCADE (AREVA)Requirements modellingPhysical and safety allocation of requirementsInterfaces of each subsystem with its environmentTraceability with functional specification (RM Gateway)

35 System & SW Design Validation (AREVA)The various V&V activities are:Requirement-based tests specificationTests scenarios : Define inputs and the waited output for all requirement in document and in tests files,Automatic launch of validation testsCompute the test, play the test and verify the outputs against the expected resultAutomatic tests reporter with AREVA TA toolsAnalysis of the test coverage score with SCADE MTC

36 System & SW Design Validation (AREVA)Different simulations can be chosen:SCADE graphic simulator:Well suited to verify node during the designCannot be used in an automatic test benchInterface is poor to achieve system testing with massive number of I/Os“Command line” mode:Same mode as the graphic one but with TCL language elements (functions and comments)Harder to use than graphical modeTCL script:Use of TCL instruction sequence to initialise input, verify waited values of outputs, increase cycle, flatten structure or array types, …Use TCL programming power: loop, generic sub-functions, …TCL scenario script can be call by another script; thus a « launcher » can sequence the scenarios.All I/O transitions can be recordedExternal simulator calling SCADE via a DLL interfaceEquivalent to TCL script but harder to use (continuity, support, …)Test bench based on TCL scripts to check check all software componentFor each component :Rebuild for each component a test programPlay scenario and compare outputs to expected values,Generate a log file with principal script step information.Generate a log file with the history of the I/O transitions.For all the components :Compute an HTML report of validation withA link to log files,A validation success rate,A global model test coverage score

42 Formal proofs on the ATV safety Software (ASTRIUM)The LESAR tool is developed by the VERIMAG laboratoryExample of proven propertiesSpecification of the environment by “regular expressions”cam_arm( on, arm, cam_cmd, tc, hltc ) =prefix( [-on, -arm, -cam_cmd, -tc, -hltc]*.[ on, -arm, -cam_cmd, -tc, -hltc].[-on, -arm, -cam_cmd, -tc, hltc]*.~~ ) ;PropertiesA “red button” implies eventually a CAM triggering before 4 cyclesReal time propertyThe two MSU chains can not triggered both a CAM at the same timeMutual exclusion propertythe same results has now been reached with Prover)

67 Validation and Verification Process TEPCODesign VerifierA property is implemented in a SCADE node called an Observer.As inputs, it receives the values the property focuses on.It has one output, which is true if and only if the property is true